Technical Field
Embodiments of the present invention generally relate to point of sale (POS) transactions using a mobile device and, more particularly, to providing security for sensitive data received by and transmitted from a POS terminal device.
Related Art
With more transactions being contemplated at a point of sale (POS) device—e.g., a key terminal that allows “swiping” of a credit or debit card and entry of a personal identification number (PIN)—using mobile devices, there is a need to secure sensitive data sent from the POS device, which is fixed to a checkout lane in a store, to an acquirer or acquirer processor. An acquirer, for example, may be a part of a bank that receives and pays out funds as opposed to the part of the bank that issues credit, e.g., a credit card issuer. Processing of transactions may be performed by the acquirer, or the acquirer may employ a company that provides electronic commerce and payment processing solutions such as merchant transaction processing services; credit card data processing services for member banks; credit, debit, private-label, gift, payroll and other prepaid card offerings; electronic check acceptance services; Internet commerce and mobile payment solutions; or PIN-secured debit acceptance at ATM and retail locations. Whether performed by the bank itself or a service company, such a processor of transactions may be referred to as an “acquirer processor”.
At a POS, security for data (e.g., a consumer-entered PIN) sent from a POS device is generally provided with symmetric cryptography using a key management scheme, typically, a key management technique known as derived unique key per transaction (DUKPT). With DUKPT, an initial PIN encryption key (IPEK) is injected into the POS terminal device (e.g., PIN pad or keypad device for PIN entry) in a secure room, for example, by a manufacturer of the POS device. The IPEK initializes a process by which a unique key for each transaction (PIN entry) is derived, and using the derived unique key per transaction, the PIN is encrypted with symmetric cryptography, e.g., Triple Data Encryption Standard (3DES or TDES). The acquirer or acquirer processor, which receives the encrypted PIN and transaction information, may use a master key to help decrypt the PIN.
In cases where it was desired to expand capabilities at the POS terminal for accommodating additional acquirers or acquirer processors, one solution required all PIN pads to be brought back from the merchants to a secure room and a key injected into them. In some instances, such a solution was either prohibitively expensive or otherwise infeasible, and the acquirer opted to provide additional PIN pads for each merchant so that each POS had two PIN pads, even though such a solution may have been similarly expensive as well as potentially confusing to consumers.
Embodiments of the present disclosure and their advantages are best understood by referring to the detailed description that follows. It should be appreciated that like reference numerals are used to identify like elements illustrated in one or more of the figures, in which the showings therein are for purposes of illustrating the embodiments and not for purposes of limiting them.